Prepare supported PBKDF2 implementation autodetection for gcrypt.

diff --git a/configure.ac b/configure.ac
index dba71fa..004efa5 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -115,6 +115,8 @@ AC_DEFUN([CONFIGURE_GCRYPT], [
        else
                GCRYPT_REQ_VERSION=1.1.42
        fi
+       dnl Check if we can use gcrypt PBKDF2 (1.6.0 supports empty password)
+       AM_PATH_LIBGCRYPT([1.6.0], [use_internal_pbkdf2=0], [use_internal_pbkdf2=1])
        AM_PATH_LIBGCRYPT($GCRYPT_REQ_VERSION,,[AC_MSG_ERROR([You need the gcrypt library.])])
 
        if test x$enable_static_cryptsetup = xyes; then
@@ -139,6 +141,7 @@ AC_DEFUN([CONFIGURE_OPENSSL], [
                AC_MSG_ERROR([You need openssl library.]))
        CRYPTO_CFLAGS=$OPENSSL_CFLAGS
        CRYPTO_LIBS=$OPENSSL_LIBS
+       use_internal_pbkdf2=0
 
        if test x$enable_static_cryptsetup = xyes; then
                saved_PKG_CONFIG=$PKG_CONFIG
@@ -167,6 +170,7 @@ AC_DEFUN([CONFIGURE_NSS], [
 
        CRYPTO_CFLAGS=$NSS_CFLAGS
        CRYPTO_LIBS=$NSS_LIBS
+       use_internal_pbkdf2=1
        NO_FIPS([])
 ])
 
@@ -176,6 +180,7 @@ AC_DEFUN([CONFIGURE_KERNEL], [
 #      AC_CHECK_DECLS([AF_ALG],,
 #              [AC_MSG_ERROR([You need Linux kernel with userspace crypto interface.])],
 #              [#include <sys/socket.h>])
+       use_internal_pbkdf2=1
        NO_FIPS([])
 ])
 
@@ -190,6 +195,7 @@ AC_DEFUN([CONFIGURE_NETTLE], [
        LIBS=$saved_LIBS
 
        CRYPTO_STATIC_LIBS=$CRYPTO_LIBS
+       use_internal_pbkdf2=1
        NO_FIPS([])
 ])
 
@@ -280,6 +286,9 @@ AM_CONDITIONAL(CRYPTO_BACKEND_NSS,     test $with_crypto_backend = nss)
 AM_CONDITIONAL(CRYPTO_BACKEND_KERNEL,  test $with_crypto_backend = kernel)
 AM_CONDITIONAL(CRYPTO_BACKEND_NETTLE,  test $with_crypto_backend = nettle)
 
+AM_CONDITIONAL(CRYPTO_INTERNAL_PBKDF2, test $use_internal_pbkdf2 = 1)
+AC_DEFINE_UNQUOTED(USE_INTERNAL_PBKDF2, [$use_internal_pbkdf2], [Use internal PBKDF2])
+
 dnl Magic for cryptsetup.static build.
 if test x$enable_static_cryptsetup = xyes; then
        saved_PKG_CONFIG=$PKG_CONFIG

diff --git a/lib/crypto_backend/Makefile.am b/lib/crypto_backend/Makefile.am
index ed3937c..b8c04bb 100644 (file)
--- a/lib/crypto_backend/Makefile.am
+++ b/lib/crypto_backend/Makefile.am
@@ -9,21 +9,21 @@ libcrypto_backend_la_SOURCES = crypto_backend.h \
 
 if CRYPTO_BACKEND_GCRYPT
 libcrypto_backend_la_SOURCES += crypto_gcrypt.c
-libcrypto_backend_la_SOURCES += pbkdf2_generic.c
 endif
 if CRYPTO_BACKEND_OPENSSL
 libcrypto_backend_la_SOURCES += crypto_openssl.c
 endif
 if CRYPTO_BACKEND_NSS
 libcrypto_backend_la_SOURCES += crypto_nss.c
-libcrypto_backend_la_SOURCES += pbkdf2_generic.c
 endif
 if CRYPTO_BACKEND_KERNEL
 libcrypto_backend_la_SOURCES += crypto_kernel.c
-libcrypto_backend_la_SOURCES += pbkdf2_generic.c
 endif
 if CRYPTO_BACKEND_NETTLE
 libcrypto_backend_la_SOURCES += crypto_nettle.c
+endif
+
+if CRYPTO_INTERNAL_PBKDF2
 libcrypto_backend_la_SOURCES += pbkdf2_generic.c
 endif
 

diff --git a/lib/crypto_backend/crypto_gcrypt.c b/lib/crypto_backend/crypto_gcrypt.c
index 821eff5..0916eb2 100644 (file)
--- a/lib/crypto_backend/crypto_gcrypt.c
+++ b/lib/crypto_backend/crypto_gcrypt.c
@@ -261,21 +261,14 @@ int crypt_pbkdf(const char *kdf, const char *hash,
                char *key, size_t key_length,
                unsigned int iterations)
 {
+#if USE_INTERNAL_PBKDF2
        if (!kdf || strncmp(kdf, "pbkdf2", 6))
                return -EINVAL;
 
        return pkcs5_pbkdf2(hash, password, password_length, salt, salt_length,
                            iterations, key_length, key);
-}
 
-#if 0
-/* Until bug in gcrypt related to empty password is fixed,  cannot use this */
-int crypt_pbkdf(const char *kdf, const char *hash,
-               const char *password, size_t password_length,
-               const char *salt, size_t salt_length,
-               char *key, size_t key_length,
-               unsigned int iterations)
-{
+#else /* USE_INTERNAL_PBKDF2 */
        int hash_id = gcry_md_map_name(hash);
        int kdf_id;
 
@@ -292,5 +285,5 @@ int crypt_pbkdf(const char *kdf, const char *hash,
                return -EINVAL;
 
        return 0;
+#endif /* USE_INTERNAL_PBKDF2 */
 }
-#endif